beautypg.com

Version negotiation, Key and algorithm negotiation – H3C Technologies H3C S7500E Series Switches User Manual

Page 206

background image

11-2

Stages

Description

Authentication

The SSH server authenticates the client in response

to the client’s authentication request.

Session request

After passing authentication, the client sends a

session request to the server.

Interaction

After the server grants the request, the client and

server start to communicate with each other.

Version negotiation

1) The server opens port 22 to listen to connection requests from clients.

2) The client sends a TCP connection request to the server. After the TCP connection is established,

the server sends the first packet to the client, which includes a version identification string in the

format of “SSH-.

number>-”. The primary and secondary protocol version numbers

constitute the protocol version number, while the software version number is used for debugging.

3) The client receives and resolves the packet. If the protocol version of the server is lower but

supportable, the client uses the protocol version of the server; otherwise, the client uses its own

protocol version.

4) The client sends to the server a packet that contains the number of the protocol version it decides

to use. The server compares the version carried in the packet with that of its own. If the server

supports the version, the server and client will use the version. Otherwise, the negotiation fails.

5) If the negotiation is successful, the server and the client proceed with key and algorithm

negotiation; otherwise, the server breaks the TCP connection.

All the packets involved in the above steps are transferred in plain text.

Key and algorithm negotiation

z

The server and the client send algorithm negotiation packets to each other, which include the

supported public key algorithms list, encryption algorithms list, Message Authentication Code

(MAC) algorithms list, and compression algorithms list.

z

Based on the received algorithm negotiation packets, the server and the client figure out the

algorithms to be used. If the negotiation of any type of algorithm fails, the algorithm negotiation

fails and the server tears down the connection with the client.

z

The server and the client use the DH key exchange algorithm and parameters such as the host

key pair to generate the session key and session ID, and the client authenticates the identity of

the server.

Through the above steps, the server and the client get the same session key and session ID. The

session key will be used to encrypt and decrypt data exchanged between the server and client later,

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: